Reproducible build fails due to a missing dependency

[Giszmo]

Following the reproducible build instructions, I run into a missing dependency openjdk-8-jdk-headless=8u302-b08-1~deb9u1:

$ mkdir ~/tmp
$ cd ~/tmp/
$ git clone https://github.com/shesek/spark-wallet && cd spark-wallet
$ git checkout v0.3.1 
HEAD is now at 4ffb929 v0.3.1
...
Step 14/35 : RUN apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update
 ---> Running in a098df6b197f
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:5 https://dl.winehq.org/wine-builds/debian bullseye InRelease
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [748 kB]
Get:7 http://security.debian.org/debian-security stretch/updates/main i386 Packages [748 kB]
Fetched 1549 kB in 1s (1847 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
E: Version '8u302-b08-1~deb9u1' for 'openjdk-8-jdk-headless' was not found
The command '/bin/sh -c apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update' returned a non-zero code: 100

I'm publishing my findings on WalletScrutiny and would love to soon list this app – particularly Android – as reproducible.

[emanuelb]

The build failures can be fixed easily manually by removing the version strings that cause failures in time of check, like:

sed -i 's/winehq-stable=6.0.2~bullseye-1/winehq-stable/g' ./scripts/builder.Dockerfile;
sed -i 's/openjdk-8-jdk-headless=8u302-b08-1~deb9u1/openjdk-8-jdk-headless/g' ./scripts/builder.Dockerfile;

and then call the container build command:

podman build --rm -f scripts/builder.Dockerfile -t spark-builder031 .
mkdir docker-builds
podman run --rm --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined -it -v `pwd`/docker-builds:/target:Z,rw spark-builder 

which will build debug apk, for creating release apk the RB instructions at: https://github.com/shesek/spark-wallet/blob/8b66e1df830f9e6c1bb8eab874103a509028ca60/doc/reproducible-builds.md#reproduce-with-docker

should be updated as it's require more steps that are not documented, like creating the spark-signing-keys directory. https://github.com/shesek/spark-wallet/blob/112fd9bb835f4ee10feeeb46d6c6ebeb78db1c61/scripts/release.sh#L22-L23

latest commit in repo is for not released version 0.3.2-rc, for the upcoming version the suggestions regarding RB are:

1. update rb documentation on building release apk (creating content of spark-signing-keys directroy)

2. use SOURCE_DATE_EPOCH env var https://reproducible-builds.org/docs/source-date-epoch/

using it might allow to git rid of faketime usage in (if faketime is still needed a bug upstream for the affected component should be opened to support SOURCE_DATE_EPOCH): https://github.com/shesek/spark-wallet/blob/b35d317afbb104245649e9f30f90c45553ccd4a1/electron/build.sh#L32-L38 https://github.com/shesek/spark-wallet/blob/bd8939934793bda15f68ba0a1ea1bf0b05c219d0/scripts/builder.Dockerfile#L9

3. update all deps as it likely 1 of them is to blame for RB failure, and do RB test locally on latest commit.